Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Remote Code Execution - huntr.dev #117

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Security Fix for Remote Code Execution - huntr.dev #117

wants to merge 11 commits into from

Conversation

huntr-helper
Copy link

https://huntr.dev/app/users/d3m0n-r00t has fixed the Remote Code Execution vulnerability 🔨. d3m0n-r00t has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #116
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/python/fsociety/1/README.md

User Comments:

📊 Metadata *

Remote Code Execution vulnerability

Bounty URL: https://www.huntr.dev/app/bounties/open/1-python-fsociety

⚙️ Description *

Fixed code execution vulnerability by sanitizing the input. Previously the input was raw_input(). Fixed this by splitting the input at spaces (' ').

💻 Technical Description *

Fsociety had many instances where the input was executed as it is by the os.system code. The user input was the target variable which must be an IP address or a domain. But the user was able to execute arbitrary code by adding command line operators such as && or || etc. I splitted this input and made it a way that proper nmap script runs only when an Ip or domain is given as input. It ignores every other inputs.

🐛 Proof of Concept (PoC) *

Vulnerable code:

 def run(self):
        clearScr()
        print(self.nmapLogo)
        target = raw_input(self.targetPrompt)
        self.menu(target)

logPath = "logs/nmap-" + strftime("%Y-%m-%d_%H:%M:%S", gmtime())
        try:
            if response == "1":
                os.system("nmap -sV -oN %s %s" % (logPath, target))

Steps to reproduce the bug:

  1. Run python fsociety.py
  2. Select any vulnerable part. (For example 1. Information gathering -> 1. Nmap
  3. Supply any Ip or domain and with the command line operator supply the payload
127.0.0.1 && echo 'Hacked' > hacked.txt
  1. We can see hacked.txt file created in the directory.
    fsocityrce
    rcepoc

🔥 Proof of Fix (PoF) *

Fix:

target = raw_input(self.targetPrompt).split(' ')[0]

fixed

👍 User Acceptance Testing (UAT)

Just splited the input so that only the first parameter of the input is taken. Since IP or domain is considered as a single string it is passed through and the rest is splited out. If any thing other than an Ip or domain is supplied it shows an error showing 'unknown host'. So it doesn't break the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LinksCoding LinksCoding LinksCoding approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@huntr-helper @LinksCoding @d3m0n-r00t @JamieSlome